Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.
Description
Both Azure API and Azure CLI support creating a User Delegation SAS key, which is a storage account key signed against the user's credentials, rather than signing it against the main storage account key.
This means we can prevent auth using the storage account key (see here, our storage account has this set to false) but still allow our service principal to create working SAS tokens.
At present, our SAS tokens created when shared_access_key_enabled = false do not work as they are based on the disabled account key. User delegation keys allow for this.
New or Affected Resource(s)/Data Source(s)
data.azurerm_storage_account_sas
Potential Terraform Configuration
data "azurerm_storage_account_sas" "example" {
connection_string = azurerm_storage_account.example.primary_connection_string
https_only = true
# Below would be a new parameter
key_type = "UserDelegation" # One of UserDelegation, AccountKey. Defaults to AccountKey
resource_types {
service = true
container = false
object = false
}
services {
blob = true
queue = false
table = false
file = false
}
start = "2023-10-21T00:00:00Z"
expiry = "2024-10-20T00:00:00Z"
permissions {
read = true
write = true
delete = false
list = false
add = true
create = true
update = false
process = false
tag = false
filter = false
}
}
output "sas_url_query_string" {
value = data.azurerm_storage_account_sas.example.sas
}
Is there an existing issue for this?
Community Note
Description
Both Azure API and Azure CLI support creating a User Delegation SAS key, which is a storage account key signed against the user's credentials, rather than signing it against the main storage account key.
This means we can prevent auth using the storage account key (see here, our storage account has this set to
false
) but still allow our service principal to create working SAS tokens.At present, our SAS tokens created when
shared_access_key_enabled = false
do not work as they are based on the disabled account key. User delegation keys allow for this.New or Affected Resource(s)/Data Source(s)
data.azurerm_storage_account_sas
Potential Terraform Configuration
References
No response